Compatibility with Content Security Policy without 'unsafe-eval'?
josephguillaume opened this issue · 3 comments
I tried to use solid-auth-client.bundle.js to add solid to an existing website that uses Content Security Policy and ran into the error:
EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ...
Obviously the error can be avoided by setting unsafe-eval, but it would be great if this wasn't necessary.
It appears the error is due to Function constructor calls in solid-auth-client dependencies.
The ones I found are:
@trust/json-document, which it appears is a dependency of @solid/oidc-rp both directly and indirectly via @solid/jose.
https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Validator.js#L64
https://github.com/anvilresearch/json-document/blob/c2be5e377ebfda753ec9753d5107557617e08b64/src/Initializer.js#L34
In the webpack build of browser/index.js:
// This works if eval is allowed (see CSP)
g = g || new Function("return this")();
It appears this is a webpack configuration issue somewhere, requiring a node:false setting?
https://stackoverflow.com/questions/48695579/how-to-remove-eval-and-function-constructor-from-webpack-build-to-avoid-csp-issu
Fixing this is a bit out of my depth but I thought I'd share what I discovered so far...
Just noticed the @trust/json-document errors should be addressed by PR #150
Thanks for digging into this! I recently did a big dependency update of the mashlib stack but didn't drill down into solid-auth-client. Sounds like I should have, so I made a note of it. I'll try to find time to look into this!
Presumably this issue can now be closed as no longer relevant given that solid-auth-client is now a legacy library and there are other more major security issues?